Bài giảng Mạng máy tính nâng cao - Chương 13: Firewall

Bài giảng Mạng máy tính nâng cao - Chương 13: Firewall bao gồm những nội dung về Firewalls (Stateless packet filtering, Stateful packet filtering, Application Gateways); Intrusion Detection Systems (IDS), Denial of Service Attacks.

M ạ ng máy tính nâng cao-V1

Firewalls & IDS Outline

Firewalls

◦ Stateless packet filtering

◦ Stateful packet filtering

Access Control Lists

◦ Application Gateways

Intrusion Detection Systems (IDS)

◦ Denial of Service Attacks

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.

Firewall

3

administered network

public Internet firewall

Why Firewalls?

prevent denial of service (DoS) attacks:

• SYN flooding: attacker establishes many bogus TCP

connections, no resources left for “real” connections.

prevent illegal modification/access of internal data.

• e.g., attacker replaces CIA’s homepage with something else.

allow only authorized access to inside network (set of

allow only authorized access to inside network (set of authenticated users/hosts)

three types of firewalls:

1 stateless packet filters

2 stateful packet filters

3 application gateways

Stateless Packet Filtering

Should arriving packet

be allowed in?

Departing packet let out?

internal network connected to Internet via router

firewall

router filters packet-by-packet, decision to

forward/drop packet based on:

◦ source IP address, destination IP address

◦ TCP/UDP source and destination port numbers

◦ ICMP message type

◦ TCP SYN and ACK bits.

5

Stateless Packet Filtering: Example

Example 1:

Block incoming and outgoing datagrams with IP

protocol field = 17 and with either source or dest port = 23

all incoming, outgoing UDP flows and telnet connections are blocked

Example 2:

Block inbound TCP segments with ACK=0

prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside

Stateless Packet Filtering:

More Examples

Policy Firewall Setting

No outside Web access Drop all outgoing packets to any IP

address, port 80

No incoming TCP connections,

except those for institution’s

public Web server only.

Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80

7

public Web server only. 80

Prevent Web-radios from eating

up the available bandwidth.

Drop all incoming UDP packets - except DNS and router broadcasts.

Prevent your network from being

used for a smurf DoS attack.

Drop all ICMP packets going to a

“broadcast” address (eg 130.207.255.255).

Prevent your network from being

tracerouted.

Drop all outgoing ICMP TTL expired traffic

action source

address

dest

source port

dest port

flag bit

allow 222.22/16 outside of

222.22/16 TCP > 1023 80

any

Access Control Lists

ACL: table of rules, applied top to bottom to incoming packets:

(action, condition) pairs.

222.22/16 allow outside of

222.22/16

222.22/16

TCP 80 > 1023 ACK

allow 222.22/16 outside of

222.22/16 UDP > 1023 53 -allow outside of

222.22/16

222.22/16

UDP 53 > 1023

Stateful Packet Filtering Packet Filtering

stateless packet filter: heavy handed tool

◦ admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established:

address

dest

source port

dest port

flag bit

allow outside of

222.22/16

222.22/16

TCP 80 > 1023 ACK

• stateful packet filter: track status of every TCP connection.

o track connection setup (SYN), teardown (FIN): to determine whether incoming, outgoing packets “makes sense”.

o timeout inactive connections at firewall: no longer admit packets.

Advanced Computer Networks Firewalls and IDS 9

action source

address

dest

source port

dest port

flag bit

check conxion

allow 222.22/16 outside of

222.22/16 TCP > 1023 80

any

ACL augmented to indicate need to check connection state table

before admitting packet.

Stateful

Stateful Packet Filtering Packet Filtering

222.22/16 allow outside of

222.22/16

222.22/16

TCP 80 > 1023 ACK x

allow 222.22/16 outside of

222.22/16 UDP > 1023 53

-allow outside of

222.22/16

222.22/16

UDP 53 > 1023 x

Application Gateways

Filters packets on application data as well as on

IP/TCP/UDP fields

Example: Allow select internal users to telnet outside

gateway-to-remote

11

host-to-gateway telnet session

gateway-to-remote host telnet session

application gateway

router and filter

Limitations of Firewalls and Gateways

IP Spoofing: router

can’t know if data

“really” comes from

claimed source

If multiple app’s need

special treatment,

Filters often use all or nothing policy for UDP Tradeoff: degree of communication with outside world, level of security

special treatment,

each has own app

gateway

Client software must

know how to contact

gateway

◦ e.g., must set IP address

of proxy in Web browser.

security

Many highly protected sites still suffer from attacks

Intrusion Detection Systems (IDS)

Packet filtering:

◦ operates on TCP/IP headers only.

◦ no correlation check among sessions

IDS: Intrusion Detection System

(e.g., check character strings in packet against

database of known virus, attack strings)

port scanning network mapping DoS attack

13

application gateway

firewall

Intrusion Detection Systems

Multiple IDS’s: employ different types

of checking at different locations.

Web server

FTP server

DNS server

gateway

Internet

demilitarized zone

internal

network

IDS sensors

Firewalls & IDS Summary

Firewalls

Access Control Lists

Intrusion Detection Systems (IDS)

◦ Denial of Service Attacks

15

Q&A